CVE-2025-43775 — Liferay Portal is vulnerable to XSS attacks via its remote app title field

Description

A stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via remote app title field.

How to fix CVE-2025-43775

To remediate CVE-2025-43775, upgrade the affected package to a fixed version below.

Maven/com.liferay:com.liferay.client.extension.web—upgrade to 2.0.27 or later

Is CVE-2025-43775 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.0.71, < 2.0.27

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43775
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/e54b2b41564df4f11cfa77b3e6c4353cf0a3b16d
WEBliferay.atlassian.net/browse/LPE-18123